[Security] Bump rails from 4.2.7 to 6.0.0

[dependabot-preview[bot]]

Bumps rails from 4.2.7 to 6.0.0. This update includes security fixes.

Vulnerabilities fixed

*Sourced from The GitHub Security Advisory Database.* > **Critical severity vulnerability that affects actionview** > # Denial of Service Vulnerability in Action View > > Impact > ------ > Specially crafted accept headers can cause the Action View template location > code to consume 100% CPU, causing the server unable to process requests. This > impacts all Rails applications that render views. > > All users running an affected release should either upgrade or use one of the > workarounds immediately. > > Releases > -------- > The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are > available at the normal locations. > > Workarounds > ----------- > This vulnerability can be mitigated by wrapping `render` calls with > `respond_to` blocks. For example, the following example is vulnerable: > ... (truncated) > > Affected versions: >= 4.0.0, <= 4.2.11 *Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects actionview** > # File Content Disclosure in Action View > > Impact > ------ > There is a possible file content disclosure vulnerability in Action View. > Specially crafted accept headers in combination with calls to `render file:` > can cause arbitrary files on the target server to be rendered, disclosing the > file contents. > > The impact is limited to calls to `render` which render file contents without > a specified accept format. Impacted code in a controller looks something like > this: > > ``` > class UserController < ApplicationController > def index > render file: "#{Rails.root}/some/file" > end > end > ``` > ... (truncated) > > Affected versions: >= 4.0.0, <= 4.2.11 *Sourced from The Ruby Advisory Database.* > **Broken Access Control vulnerability in Active Job** > There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476. > > Impact > ------ > Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have. > > Vulnerable code will look something like this: > > ``` > MyJob.perform_later(user_input) > ``` > > All users running an affected release should either upgrade or use one of the workarounds immediately. > > Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1 > Unaffected versions: < 4.2.0

Release notes

*Sourced from [rails's releases](https://github.com/rails/rails/releases).* > ## 6.0.0.beta1 > ## Active Support > > * Remove deprecated `Module#reachable?` method. > > *Rafael Mendonça França* > > * Remove deprecated `#acronym_regex` method from `Inflections`. > > *Rafael Mendonça França* > > * Fix `String#safe_constantize` throwing a `LoadError` for incorrectly cased constant references. > > *Keenan Brock* > > * Preserve key order passed to `ActiveSupport::CacheStore#fetch_multi`. > > `fetch_multi(*names)` now returns its results in the same order as the `*names` requested, rather than returning cache hits followed by cache misses. > > *Gannon McGibbon* > > * If the same block is `included` multiple times for a Concern, an exception is no longer raised. > > *Mark J. Titorenko*, *Vlad Bokov* > > * Fix bug where `#to_options` for `ActiveSupport::HashWithIndifferentAccess` > would not act as alias for `#symbolize_keys`. > > *Nick Weiland* > > * Improve the logic that detects non-autoloaded constants. > > *Jan Habermann*, *Xavier Noria* > > * Deprecate `ActiveSupport::Multibyte::Unicode#pack_graphemes(array)` and `ActiveSuppport::Multibyte::Unicode#unpack_graphemes(string)` > in favor of `array.flatten.pack("U*")` and `string.scan(/\X/).map(&:codepoints)`, respectively. > > *Francesco Rodríguez* > > * Deprecate `ActiveSupport::Multibyte::Chars.consumes?` in favor of `String#is_utf8?`. > > *Francesco Rodríguez* > > * Fix duration being rounded to a full second. > ``` > time = DateTime.parse("2018-1-1") > time += 0.51.seconds > ``` > Will now correctly add 0.51 second and not 1 full second. > > ... (truncated)

Commits

- [`66cabed`](https://github.com/rails/rails/commit/66cabeda2c46c582d19738e1318be8d59584cc5b) Preparing for 6.0.0 release - [`f63df2b`](https://github.com/rails/rails/commit/f63df2bddac43d9716d3f96f89da1c79d583b04c) Merge pull request [#36949](https://github-redirect.dependabot.com/rails/rails/issues/36949) from 97jaz/thread-local-prepared-statements - [`97f9609`](https://github.com/rails/rails/commit/97f9609d62000670112efa7b027336e2b1e7493b) Highlight `database.yml` as code block in multiple databases guide [ci skip] - [`dee31b7`](https://github.com/rails/rails/commit/dee31b71cb6f9461523d017f429d14070ba742fd) Merge pull request [#36946](https://github-redirect.dependabot.com/rails/rails/issues/36946) from eugeneius/return_only_media_type_on_content_ty... - [`d9aab35`](https://github.com/rails/rails/commit/d9aab35046793def049a687fd4fdca9e0578bcd4) Add entry about the classic autoload to the upgrading guide - [`5b327db`](https://github.com/rails/rails/commit/5b327dbf85c73e7df0901c4fc8607b65f2bdacb4) Merge pull request [#36803](https://github-redirect.dependabot.com/rails/rails/issues/36803) from andrewkress/fix-issue-36799 - [`5eaf39b`](https://github.com/rails/rails/commit/5eaf39b1a8e53ac052365306ad9ffac6e7564745) Add note about human_attribute_name symbol/string - [`e3b2a57`](https://github.com/rails/rails/commit/e3b2a57317eafb771973960b709a5c0fab4f6c4a) Fix attaching many uploaded files one at a time - [`5a4305f`](https://github.com/rails/rails/commit/5a4305f0ec24c638aef582654ece476e0be62658) syncs autoloading guides from master [skip ci] - [`ee5ee98`](https://github.com/rails/rails/commit/ee5ee98e92477d03056f5ad21030248a56db612d) edits the CHANGELOG [skip ci] - Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v4.2.7...v6.0.0)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

[artsy-peril[bot]]

	Warnings
:warning:	It looks like code was changed without adding anything to the Changelog. You can add #trivial in the PR body to skip the check.

Generated by :no_entry_sign: dangerJS against 4d92ad4e7794ad9fc39d7da7d454ee6e97d90ea8

[dependabot-preview[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.